[Bug 1576799] Re: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction
Andreas Hasenack
andreas at canonical.com
Wed Dec 13 13:08:51 UTC 2017
> ldapsearch -x -Z -h I.P -p 389 -D
cn=administrator,cn=users,dc=techmint,dc=lan -w XXXXXXXX -b
'dc=techmint,dc=lan'
Please use -ZZ. And did you use the IP for -h? Why not the hostname,
which I think (from a previous comment you made) is win.cifs.com?
> I am able to confirm with tcpdump that communication is in encrypted
mode.
That doesn't mean it's secure. If your client is told to accept any
certificate from the server, it would still be vulnerable to MITM
attacks.
You need to change this setting back to "hard" in your
/etc/ldap/ldap.conf:
TLS_REQCERT hard
and then repeat the ldapsearch command with -ZZ. And use the
certificate's commonName value for your ldapsearch "-h" parameter, or
one of the certificate's subjectAltName fields that are prefixed with
DNS.
** Changed in: samba (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1576799
Title:
Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS
instruction
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions
More information about the Ubuntu-server-bugs
mailing list